Commit graph

313 commits

Author SHA1 Message Date
Aaron Andersen
fc5df319cf
Merge pull request #165764 from notgne2/oauth2-proxy-group
nixos/oauth2_proxy: add user group
2022-04-01 13:32:21 +02:00
P. R. d. O
f24ae9654d
nixos/sslmate-agent: init 2022-03-28 17:41:18 -06:00
notgne2
863773970c
nixos/oauth2_proxy: add user group 2022-03-25 08:35:30 -07:00
Sandro
3d48fda6f5
Merge pull request #164330 from Luflosi/fix-tor-client-disable 2022-03-20 19:51:30 +01:00
Benjamin Staffin
81b63b6ef6
nixos/oauth2_proxy: add missing oidc providers (#164632)
- Add adfs and keycloak-oidc providrs
- Sort the list alphabetically
2022-03-20 13:31:43 -04:00
Luflosi
1b34039b5f
nixos/tor: fix services.tor.client.enable = false not working
If `services.tor.client.enable` is set to false (the default), the `SOCKSPort` option is not added to the torrc file but since Tor defaults to listening on port 9050 when the option is not specified, the tor client is not actually disabled. To fix this, simply set `SOCKSPort` to 0, which disables the client.
Use `mkForce` to prevent potentially two different `SOCKSPort` options in the torrc file, with one of them being 0 as this would cause Tor to fail to start. When `services.tor.client.enable` is set to false, this should always be disabled.
2022-03-15 23:39:02 +01:00
Luflosi
3c63da7cf8
nixos/tor: allow tor to read resolv.conf when using resolved
When `services.resolved.enable` is set to true, the file /etc/resolv.conf becomes a symlink to /etc/static/resolv.conf, which is a symlink to /run/systemd/resolve/stub-resolv.conf. Without this commit, tor does not have access to this file thanks to systemd confinement. This results in the following warning when tor starts:
```
[warn] Unable to stat resolver configuration in '/etc/resolv.conf': No such file or directory
[warn] Could not read your DNS config from '/etc/resolv.conf' - please investigate your DNS configuration. This is possibly a problem. Meanwhile, falling back to local DNS at 127.0.0.1.
```
To fix this, simply allow read-only access to the file when resolved is in use.
According to https://github.com/NixOS/nixpkgs/pull/161818#discussion_r824820462, the symlink may also point to /run/systemd/resolve/resolv.conf, so allow that as well.
2022-03-15 15:16:14 +01:00
lassulus
236a731da0 nixos/tor: admit newlines in secret key 2022-03-09 15:11:01 +01:00
Jonas Heinrich
764670261a nixos/opensnitch: Add options to configure daemon 2022-03-02 18:38:56 -05:00
Renaud
671a068a01
Remove F-PROT package and service module (EoL) (#160372) 2022-03-02 21:51:47 +02:00
Maximilian Bosch
199d4224e9
Merge pull request #155207 from rapenne-s/freshclam_when_internet
clamav: start freshclan after network-online target
2022-03-01 11:14:30 +01:00
Solene Rapenne
317ca6bb4e clamav: remove freshclam service dependency 2022-02-28 22:51:07 +01:00
Pascal Wittmann
65f66dd4d2
Merge pull request #161056 from dywedir/nixos/vaultwarden
nixos/vaultwarden: fix evaluation
2022-02-23 22:27:58 +01:00
Lassulus
79df722cdd
Merge pull request #150886 from mohe2015/improve-step-ca
nixos/step-ca: create a step-ca user
2022-02-22 14:40:25 +01:00
Vladyslav M
eb0dda98dc nixos/vaultwarden: fix evaluation 2022-02-20 14:37:20 +02:00
Moritz Hedtke
9d5aba4ac9
nixos/step-ca: Remove unnecessary passthru.tests 2022-02-13 17:26:48 +01:00
Artturi
e35d057ea5
Merge pull request #151123 from Artturin/havegedupdate 2022-02-10 17:10:20 +02:00
Aaron Andersen
2d055bb37a nixos/cfssl: minor updates/cleanup 2022-02-05 18:53:35 -05:00
Aaron Andersen
67abfde611 nixos/cfssl: use systemd StateDirectory to provision the data directory 2022-02-05 18:53:28 -05:00
K900
e21fc555d6 nixos/vaultwarden: fix alias after #152372 2022-02-01 07:08:44 +00:00
Luflosi
c6bd1eea71
nixos/tor: fix tor getting killed by systemd when shuttding down
Tor waits ShutdownWaitLength seconds (30s by default) before actually shutting down. Since the systemd timeout is also set to 30 seconds, this results in a race condition that ends up killing Tor most of the time on my machine during shutdown.
To fix this, add the ShutdownWaitLength setting and tell systemd to wait 30 seconds more than that.
Arch Linux also has `TimeoutSec` set to 60 seconds: 6df716fe19/trunk/tor.service.
2022-01-25 15:02:18 +01:00
Vincent Haupert
b88ddadf8b nixos/intel-sgx: add option for Intel SGX DCAP compatibility
The Intel SGX DCAP driver makes the SGX application enclave device and
the SGX provisioning enclave available below the path `/dev/sgx/`. Since
Linux 5.11, a derivation of the DCAP driver is part of the kernel and
available through the X86_SGX config option; NixOS enables this option
by default.

In contrast to the out-of-tree DCAP driver, the in-tree SGX driver uses
a flat hierarchy for the SGX devices resulting in the paths
`/dev/sgx_enclave` for the application enclave device and
`/dev/sgx_provison` for the provisioning enclave device.

As of this commit, even the latest version of the Intel SGX PSW
libraries still tries to open the (legacy) DCAP paths only. This means
that SGX software currently cannot find the required SGX devices even if
the system actually supports SGX through the in-tree driver. Intel wants
to change this behavior in an upcoming release of intel/linux-sgx.

Having said that, SGX software assuming the SGX devices below
`/dev/sgx/` will prevail. Therefore, this commit introduces the NixOS
configuration option `hardware.cpu.intel.sgx.enableDcapCompat` which
creates the necessary symlinks to support existing SGX software. The
option defaults to true as it is currently the only way to support SGX
software. Also, enabling the SGX AESM service enables the option.

The permissions of the devices `/dev/sgx_enclave` and
`/dev/sgx_provison` remain the same, i.e., are not affected regardless
of having the new option enabled or not.
2022-01-11 14:02:16 +01:00
pennae
fc614c37c6 nixos/documentation: split options doc build
most modules can be evaluated for their documentation in a very
restricted environment that doesn't include all of nixpkgs. this
evaluation can then be cached and reused for subsequent builds, merging
only documentation that has changed into the cached set. since nixos
ships with a large number of modules of which only a few are used in any
given config this can save evaluation a huge percentage of nixos
options available in any given config.

in tests of this caching, despite having to copy most of nixos/, saves
about 80% of the time needed to build the system manual, or about two
second on the machine used for testing. build time for a full system
config shrank from 9.4s to 7.4s, while turning documentation off
entirely shortened the build to 7.1s.
2022-01-02 19:46:13 +01:00
pennae
3dbb117aa5 nixos/aesmd: add missing defaultText 2021-12-29 20:12:03 +01:00
Maximilian Bosch
8f9f754271
nixos/privacyidea: increase buffer-size of uwsgi from 4096 to 8192
When accessing the Audit log, I get an HTTP 502 when the frontend
requests `/audit` and I get the following error in my `nginx`-log:

    Dec 20 22:12:48 ldap nginx[336]: 2021/12/20 22:12:48 [error] 336#336: *8421 recv() failed (104: Connection reset by peer) while reading response header from upstream, client: 10.237.0.1, server: _, request: "GET /audit/?action=**&action_detail=**&administrator=**&client=**&date=**&duration=**&info=**&page=1&page_size=10&policies=**&privacyidea_server=**&realm=**&resolver=**&serial=**&sortorder=desc&startdate=**&success=**&tokentype=**&user=** HTTP/1.1", upstream: "uwsgi://unix:/run/privacyidea/socket:", host: "ldap.ist.nicht-so.sexy", referrer: "https://ldap.ist.nicht-so.sexy/"

This is because of an "invalid request block size"-error according to
`journalctl -u privacyidea.service`:

    Dec 20 22:12:48 ldap uwsgi[10721]: invalid request block size: 4245 (max 4096)...skip

Increasing the buffer to 8192 fixes the problem for me.
2021-12-21 00:51:45 +01:00
Artturin
c5a9a7edc4 haveged: 1.9.2 -> 1.9.15 2021-12-17 22:21:06 +02:00
Graham Christensen
06edb74413
Merge pull request #148785 from pennae/more-option-doc-staticizing
treewide: more defaultText for options
2021-12-17 11:14:08 -05:00
Moritz Hedtke
116ae00e73
nixos/step-ca: create a step-ca user
This allows you to create the certificate files owned by that user so the service can read them.
2021-12-15 20:42:00 +01:00
Vincent Haupert
0b5c9f81e2 nixos/aesmd: add module
Co-authored-by: Alex Zero <joseph@marsden.space>
2021-12-10 10:18:31 +01:00
pennae
ed673a69db treewide: add defaultText for options with simple cfg.* expression defaults
adds defaultText for options with defaults that use only literals, full config.*
paths, and the cfg shortcut binding.
2021-12-09 01:14:16 +01:00
pennae
fb0e5be843 treewide: add defaultText for options with simple interpolation defaults
adds defaultText for all options that use `cfg.*` values in their
defaults, but only for interpolations with no extra processing (other
than toString where necessary)
2021-12-09 01:13:48 +01:00
Robert Hensing
862d167f17
Merge pull request #147441 from pennae/option-doc-staticizing
nixos/*: add trivial defaultText to options where applicable
2021-12-06 01:35:38 +01:00
pennae
2512455639 nixos/*: add trivial defaultText for options with simple defaults 2021-12-02 22:35:04 +01:00
Moritz Hedtke
9d01ce82ac
nixos/tests: add step-ca test 2021-11-13 12:40:47 +01:00
Sandro
e5ac2e1a52
Merge pull request #122452 from ju1m/tor 2021-11-09 21:50:57 +01:00
Jasper Woudenberg
810b3b5fcd nixos/yubikey-agent add maintainer jwoudenberg 2021-10-29 23:13:50 +02:00
Jasper Woudenberg
4ceb33b982 nixos/yubikey-agent: start enabled agent on boot
This adds a `wantedBy` clause to the user systemd service for
yubikey-agent, to ensure an enabled agent is started on boot. This
brings the behavior inline with existing documentation.

If the user has selected a graphical pinentry program, then we need to
wait for the graphical environment to exist before starting the
yubikey-agent. I've found that if we start the agent earlier it will
fail when we perform an ssh command later.
2021-10-29 23:13:46 +02:00
Wei Tang
7c7cd951c5
nixos/step-ca: fix comment typo 2021-10-26 20:47:30 +02:00
Maximilian Bosch
47fc40d5ab
pythonPackages.privacyidea-ldap-proxy: 0.6.1 -> 0.6.2, switch to python3 2021-10-18 21:14:35 +02:00
Naïm Favier
2ddc335e6f
nixos/doc: clean up defaults and examples 2021-10-04 12:47:20 +02:00
Aaron Andersen
559449530f
Merge pull request #132319 from onny/opensnitch
nixos/opensnitch: Add module for opensnitch
2021-09-19 11:31:21 -04:00
rnhmjoj
64f5d681d9
nixos/physlock: fix broken wrapper
- `user` doesn't exist -> `owner`
- set `setuid,group` as well (no longer optional)
2021-09-19 11:53:41 +02:00
Jonas Heinrich
94f775024e Opensnitch: Add module 2021-09-14 18:51:23 +02:00
Bobby Rong
39261adc92
Merge pull request #135626 from delroth/tor-netlink
nixos/tor: allow AF_NETLINK address family
2021-09-14 22:57:34 +08:00
Guillaume Girol
3592034595
Merge pull request #133166 from symphorien/nonogroup
Don't default to nogroup for the primary group of users.
2021-09-13 18:29:21 +00:00
Guillaume Girol
bc3bca822a nixos: define the primary group of users where needed 2021-09-12 14:59:30 +02:00
Maximilian Bosch
69e75754d5
nixos/privacyidea: use sudo(8) that's configured via the module 2021-09-08 22:45:50 +02:00
Pierre Bourdon
6b70d3e911
nixos/tor: allow AF_NETLINK address family
Tor attempts to detect what external IP address a machine is using by
listing addresses on all network interfaces on the system. This listing
is done using getifaddrs(3), which relies on netlink in order to get
IPv6 address information.

This change fixes Tor not finding the relay's IPv6 address unless
explicitly configured via either an ORPort directive or via DNS
resolution of the machine hostname.
2021-08-25 06:03:41 +02:00
Elis Hirwing
09a49354b6
nixos/hockeypuck: Add service for hockeypuck 2021-07-19 07:33:01 +02:00
Antoine Martin
2463620fc2
nixos/vaultwarden: make package configurable (#113216)
This allows the user to override the version of Vaultwarden used by the
service, if using an overlay to keep up to date with releases for
example.
2021-07-14 17:20:10 -04:00